On April 10, 2013, the SEC and the CFTC adopted joint rules and guidelines in order to address identity theft, as required by the Dodd-Frank Act. The rules and guidelines adopted by the SEC and CFTC are substantially similar to the identity theft rules jointly adopted in 2007 by the Federal Trade Commission and several other federal agencies (the Agencies). Entities regulated by the SEC and CFTC that are currently subject to the Agencies’ identity theft rules will now be subject to the SEC and CFTC rules. The adopting release notes that the final SEC and CFTC identity theft rules do not contain any requirements not already in the Agencies’ rules, nor do they expand the scope to cover any entities not already covered by the Agencies’ rules.

The final SEC and CFTC identity theft rules require “financial institutions” and “creditors” that offer or maintain “covered accounts” to develop and implement a written identity theft prevention program that includes reasonable policies and procedures to: (1) identify relevant red flags for the covered accounts; (2) detect the occurrence of red flags; (3) respond appropriately to any red flags when detected; and (4) periodically update the program to reflect changes in risks. With respect to the SEC rules, the scope of the definition of financial institutions generally covers broker-dealers, investment advisers and investment companies. With respect to the CFTC rules, the scope of the definition of financial institutions generally covers commodity pool operators, futures commission merchants and introducing brokers, among others. The SEC and CFTC rules also include guidelines that provide examples of red flags and the means to detect certain types of red flags, and other information intended to assist in the formulation and administration of an identity theft program.

The identity theft rules became effective on May 20, 2013, with a compliance date of November 20, 2013.